Threat hunting has become a hot topic. It’s clear that security pros have begun to recognize that detection tools and monitoring are not sufficient to do battle against today’s cyber threats. In a recent Crowd Research Threat Hunting Survey 79% of respondents said that threat hunting is a top security initiative for 2017.
However, despite the intent to become more proactive in their security approach, respondents said that 43% of their time is spent being reactive to threats and only 23% proactively seeking threats. And 2/3 of SOCs reported that they did not have a threat hunting platform to help them seek out threats.
As with any security initiative there’s a lot of factors that go into a program’s success. Enterprises security teams that want to engage in threat hunting need to consider a number of factors to make it a reality. While threat hunting can be a manual process, there are new solutions available that are custom built to get the job done. How? They help automate parts of the process so your team can speed up the discovery process and focus on incident response, instead of combing through logs and files manually.
Here are 4 key steps you need to put in place to get a threat hunting program jump started.
1. Find Your Hunters – they may be closer than your think. There’s been a lot of talk about who fits the profile of a threat hunter. Some argue that it’s limited to highly skilled security one percenters and consultants. While that may have been true in the past, it is possible to empower your existing internal security and IT teams to hunt. You just need to provide them with the right tools for the job. Which leads us to the next step.
2. Automate the Hunt – According to the Threat Hunting Survey it takes teams 38 days to detect and another 26 days to investigate threats without any automation. Enterprises that have some type of threat hunting platform employed saw a 2.5X and 2X improvement respectively.
For the mature enterprise SOC already hunting, Infocyte HUNT enables you to do away with the custom scripts and other one-host-at-a-time DFIR processes you use to validate any suspicious behaviors that your team detects. Now you can iteratively and effectively sweep all endpoints to find entrenched threats and beachheads hiding on any of your endpoints. Some SOCs are probably already doing a lighter, less scalable version of this now using a custom tool set or scripting out an endpoint querying tool.
3. Respond to Found Threats – Now that you’ve put automation in place, what do you do when you find a threat? A good threat hunting platform should give you detailed information on what has been discovered and the severity of the threat so it can be investigated further. Think of it as incident response triage. Infocyte HUNT gives malware and threat analysis drill-down that can easily be pivoted on, as well as isolation actions from a click of the mouse.
4. Repeat – Threat hunting is not an annual or quarterly activity – cyberthreats are constant. Hackers don’t take days off and your threat hunting program can’t afford to either. Automation is the key to ensuring you can regularly hunt for any compromises that have bypassed other defenses, without exhausting your resources.
Proactively hunting for post-compromise threats is quickly becoming a new standard approach for enterprise security. By following these 4 steps to automate the hunt for threats, enterprises can virtually eliminate attacker dwell time to limit damage and better protect networks.
Ready to start hunting? Request a demo of Infocyte HUNT.
More from our blog
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »
In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it…Read More »
An Overview of False Positives and False Negatives Understanding the differences between false positives and false negatives, and how they’re related to cybersecurity is important for anyone working in information security. Why? Investigating false positives is a waste of time/resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.…Read More »